Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New-MgEntitlementManagementResourceRequest does not populate Role properties #2804

Open
dmaloney02 opened this issue Jun 19, 2024 · 1 comment
Open

New-MgEntitlementManagementResourceRequest does not populate Role properties #2804

dmaloney02 opened this issue Jun 19, 2024 · 1 comment
Labels
Status: Needs Investigation

Comments

@dmaloney02
Copy link

dmaloney02 commented Jun 19, 2024
edited

using the SDK Entitlement Management Catalog resources are created without role properties. The role properties are mandatory for adding the group/role to an access package.

Example of a new catalog group post "New-MgEntitlementManagementResourceRequest" with empty Role properties:
$a = Get-MgEntitlementManagementCatalogResource -AccessPackageCatalogId $catalog.id -Filter "originID eq '$($g.ID)'" -ExpandProperty scopes

$a | fl

Attributes : {}
CreatedDateTime : 6/19/2024 11:14:19 PM
Description : For Development of AP automation only, then can be deleted.
DisplayName : AzureIAM-DEV_Group
Environment : Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessPackageResourceEnvironment
Id : c15b9b94-fdc3-414c-a818-dcdca81cc05d
ModifiedDateTime :
OriginId : 3acf4b9f-5601-4eed-8f40-180aa9282f82
OriginSystem : AadGroup
Roles :
Scopes : {e0b1d2cb-0774-4272-a27e-ee2a6d825f74}
AdditionalProperties : {[[email protected], https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/catalogs('d1d12211-49c5-4a14-9ad0-b2eb2b44
1363')/resources('c15b9b94-fdc3-414c-a818-dcdca81cc05d')/scopes]}

Graph API documentation for "accessPackageResourceRole resource type" states the following:
In Microsoft Entra entitlement management, an access package resource role is a reference to a role defined in a resource. These roles are automatically present after a resource is added to an access package catalog. A group can have two roles, one for the owner and another for the member.

Subsequently, the Catalog group cannot be assigned to an access package via New-MgEntitlementManagementAccessPackageResourceRoleScope because the Resource Role ID does not exist.

SDK Documentation here:
https://learn.microsoft.com/en-us/graph/api/accesspackage-post-resourcerolescopes?view=graph-rest-1.0&preserve-view=true&tabs=powershell
@dmaloney02 dmaloney02 added the status:waiting-for-triage An issue that is yet to be reviewed or assigned label Jun 19, 2024
@dmaloney02
Copy link
Author

Update and progress made.

When a AAD security group is added to the catalog two generic roles are created Member and Owner.

Documentation mentions in multiple locates the following command, however the Roles property object is not returned for an AAD group freshly added to the Catalog.

$rrs = Get-MgEntitlementManagementCatalogResource -AccessPackageCatalogId $catalog.id -Filter $filt -ExpandProperty roles,scopes

Instead the "role" specific command is required.

Get-MgEntitlementManagementCatalogResourceRole -AccessPackageCatalogId $catalog.Id -Filter $filter -ExpandProperty "resource"

Once you have these results you can add the role to an access package via New-MgEntitlementManagementAccessPackageResourceRoleScope.

The Graph documentation is hard to follow as raw examples are used.

It took me a week to crack this one.

@timayabi2020 timayabi2020 added Status: Needs Investigation and removed status:waiting-for-triage An issue that is yet to be reviewed or assigned labels Jul 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Needs Investigation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@timayabi2020 @dmaloney02